CVE-2025-47914 — Out-of-bounds Read in X Crypto Golang.org X Crypto SSH Agent

CWE-125 — Out-of-bounds Read9 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 94.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X Crypto Golang.org X Crypto SSH Agent Golang.org X Crypto Golang Crypto

Timeline

PublishedNov 19

Description

SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5golang.org/x_crypto_golang.org_x_crypto_ssh_agent< 0.45.0

▶NVDgolang/crypto< 0.45.0

▶Gogolang.org/x_crypto< 0.45.0

Patches

Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

CVEList

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent↗2025-11-19

▶

GHSA

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read↗2025-11-19

▶

OSV

CVE-2025-47914: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is m↗2025-11-19

▶

OSV

Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent↗2025-11-19

▶

OSV

golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read↗2025-11-19

▶

📋Vendor Advisories

Red Hat

golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages↗2025-11-19

▶

Debian

CVE-2025-47914: golang-go.crypto - SSH Agent servers do not validate the size of messages when processing new ident...↗2025

▶

💬Community

Bugzilla

CVE-2025-47914 golang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages↗2025-11-19

▶